After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
FIPS compliance
With the 5.2.1 and higher releases, can be deployed in a Federal Information Processing Standard (FIPS) compliant mode.
In order for a security application such as to be considered FIPS compliant it must meet the standards specified by the National Institute of Standards and Technology (NIST) in the standard FIPS 140-2.
differences for FIPS
When deployed in FIPS compliant mode, there are differences in 5.2.1 from earlier releases.
- Support for MD5 hashing is disabled.
- Python 2 support is disabled.
- In FIPS compliant mode:
- on Red Hat Enterprise Linux 7.x, or Amazon Linux 2, installs and uses OpenSSL 1.1.
- on Red Hat Enterprise Linux 8.x, uses the system's version of OpenSSL.
You are responsible for ensuring your system's version of OpenSSL is FIPS compliant. Search for "Enabling FIPS Mode" in the Security Guide on redhat.com.
- uses a FIPS compliant version of Python 3 which does not support disallowed hashing methods.
Prerequisites for deploying in FIPS compliant mode
If you need to adhere to the FIPS standard, you must prepare your environment for FIPS compliance before deploying .
Operating System
You must use a supported operating system in FIPS mode:
- Red Hat Enterprise Linux 7.6 through 7.9
- Red Hat Enterprise Linux 8.0 and any of the minor versions of 8.
- Amazon Linux 2
- Oracle Linux 8
You can learn more about setting your operating system to use FIPS mode from the operating system vendor's websites:
- RHEL 7.x in the Red Hat Security Guide in Chapter 9.
- RHEL 8.x in the Red Hat Security Guide in Chapter 3.
- Amazon Linux 2 in the AWS Public Sector blog post Enabling FIPS mode in Amazon Linux 2.
- Oracle Linux 8 FIPS 140-2 Compliance in Oracle Linux 8.
Clustering and external services
When you deploy either a cluster or a instance with external services:
- Each cluster node or external service must be deployed on a FIPS compliant operating system.
- Each external service, such as PostgreSQL, Splunk Enterprise, your load balancer, and file share file system must be in FIPS compliant mode.
Limitations
Deploying in FIPS compliant mode has the following limitations:
- Only new deployments can be created. Upgrades from non-FIPS deployments to FIPS deployments is not possible.
- Only unprivileged deployments are supported.
- You can not disable FIPS mode. Once deployed in FIPS compliant mode, the choice cannot be undone nor can the deployment be downgraded to a non-FIPS mode.
Apps
Not all apps have been validated for FIPS compliance.
When you attempt to install a new app, or configure an asset for an installed app that is not validated as FIPS compliant, a warning message will be displayed. You may still install apps, but their actions may fail for FIPS related constraints such as disallowed TLS certificate signing or hashing algorithms, or unsupported Python versions.
Updated apps are released on Splunkbase and the Phantom Community Portal. You can always check to see if an app has been updated for FIPS compliance.
How to determine if is in FIPS compliant mode
In order to determine if your deployment is in FIPS compliant mode, you can either check the user interface, or use a REST API.
Check FIPS compliant status in the user interface
Use the user interface to check FIPS status.
- From the Home menu, select Administration.
- Select About.
If the deployment is in FIPS compliant mode, the FIPS enabled line will read "Yes".
Check FIPS compliant status with the REST API
Use the REST API to determine whether or not a deployment is in FIPS compliant mode.
Send query using the /rest/system_settings?sections=["fips"]
API.
The response is a JSON body of the ["fips"]
section of the system settings. If the "enabled"
is true, then FIPS compliant mode is enabled.
{ "fips": { "enabled": true } }
ports and endpoints | Install as an unprivileged user |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.3.0, 6.3.1
Feedback submitted, thanks!